CN106790074B - Fine-grained streaming media video encryption and decryption method based on HLS protocol - Google Patents

Fine-grained streaming media video encryption and decryption method based on HLS protocol Download PDF

Info

Publication number
CN106790074B
CN106790074B CN201611192815.XA CN201611192815A CN106790074B CN 106790074 B CN106790074 B CN 106790074B CN 201611192815 A CN201611192815 A CN 201611192815A CN 106790074 B CN106790074 B CN 106790074B
Authority
CN
China
Prior art keywords
video
encryption
key
layer
index
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611192815.XA
Other languages
Chinese (zh)
Other versions
CN106790074A (en
Inventor
杨成
李皓
刘剑波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Communication University of China
Original Assignee
Communication University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Communication University of China filed Critical Communication University of China
Priority to CN201611192815.XA priority Critical patent/CN106790074B/en
Publication of CN106790074A publication Critical patent/CN106790074A/en
Application granted granted Critical
Publication of CN106790074B publication Critical patent/CN106790074B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The invention discloses a fine-grained streaming media video encryption and decryption method based on an HLS protocol. The encryption method comprises a first layer of encryption step, encrypting video fragments generated by an HLS protocol fragment server by using a video key according to a symmetric encryption algorithm, and storing the video key into an m3u8 index file; a second layer of encryption, namely encrypting the m3u8 index file by using an index key according to a symmetric encryption algorithm; and a third layer of encryption step, namely encrypting the index key according to the attribute encryption algorithm and the user access control strategy. The invention realizes fine-grained video access authority control and simultaneously ensures the safety of streaming media data transmission through a three-layer streaming media video encryption scheme.

Description

Fine-grained streaming media video encryption and decryption method based on HLS protocol
Technical Field
The invention relates to the technical field of streaming media video processing, in particular to a fine-grained streaming media video encryption and decryption method based on an HLS protocol.
Background
With the deep development of internet technology, the application of streaming media technology is more and more popular, such as distance education, video conference, internet live broadcast, and the like. However, the transport of streaming media is not separated from the bearer of the protocol. Transport protocols for streaming media can be broadly divided into two categories, one based on the UDP/TCP protocol and the other based on the HTTP protocol. The technology based on the HTTP protocol has the advantages of easiness in deployment, capability of adaptively adjusting code streams, good fire wall penetrability and the like, and is widely applied to live broadcast and on-demand networks of various businesses. The technology supporting streaming media video transmission by using the HTTP protocol is various (the HLS protocol is the most widely used technology in all such protocols), and the basic principle is to fragment data of a video stream, then position the data by means of an index, and enable a user to realize video stream transmission by pulling different video fragments. However, in these protocols, security during transmission is not considered, or only a corresponding interface is defined. How to protect these trivial video snippets while providing a corresponding user conditional access mechanism is an urgent problem to be solved.
On the other hand, the current encryption schemes for video content mainly have two types, one is a traditional full encryption algorithm, and the other is a selective encryption algorithm. However, both the full encryption technique and the selective encryption technique operate in units of entire video. Thus, the minimum granularity at which a user accesses a video is the entire video. To implement finer-grained right access control, for example, some websites or content providers may provide some services that are experienced by VIP videos in a limited time, another set of right control mechanism is needed.
Disclosure of Invention
Aiming at the technical problem, the invention provides a fine-grained streaming media video encryption and decryption method based on an HLS protocol, so as to realize fine-grained video access authority control while protecting safe transmission streaming media data. The technical scheme of the invention is as follows:
a fine-grained streaming media video encryption method based on an HLS protocol comprises the following steps:
a first layer of encryption step, namely encrypting the video fragments generated by the HLS protocol fragment server by using a video key according to a symmetric encryption algorithm, and storing the video key into an m3u8 index file;
a second layer of encryption, namely encrypting the m3u8 index file by using an index key according to a symmetric encryption algorithm;
and a third layer of encryption step, namely encrypting the index key according to an attribute encryption algorithm and a user access control strategy.
According to an embodiment of the present invention, in the first layer encryption step, the video slice is selectively encrypted by using the video key according to a block encryption or stream encryption algorithm.
According to an embodiment of the present invention, in the second layer encryption step described above, the m3u8 index file is selectively encrypted using the index key according to a block encryption or stream encryption algorithm.
According to an embodiment of the present invention, in the second layer encryption step, the index key is generated according to a timeline access control policy of a video program corresponding to the video slice.
According to an embodiment of the present invention, in the third layer of encryption step, the user access control policy is formulated according to a timeline access control policy and a user attribute set of a video program corresponding to the video segment.
According to an embodiment of the present invention, the third layer encryption step includes:
initializing, namely generating a multiplication cycle group and calculating a public key and a private key;
encrypting an index key, namely encrypting the index key by using a secret number, a bilinear mapping function and the public key, and sharing the secret number according to a user access control strategy tree to obtain a ciphertext set; wherein the user access control policy tree is obtained by performing binary tree description on the user access control policy;
and a storage step, storing the ciphertext set into an encrypted m3u8 index file.
Further, the ciphertext set comprises the user access control policy tree, ciphertext obtained by encrypting the index key, and a shared parameter of each leaf node in the user access control policy tree.
According to an embodiment of the present invention, in the step of encrypting the index key, the secret number is shared by using the lagrangian theorem according to the user access control policy tree.
The fine-grained streaming media video decryption method based on the HLS protocol comprises the following steps:
a first layer of decryption step, calculating an index key according to the user attribute set;
a second layer decryption step, decrypting the encrypted m3u8 index file by using the index key to obtain a decrypted m3u8 index file;
and a third layer of decryption step, namely decrypting the encrypted video slices by using the video key in the decrypted m3u8 index file.
According to an embodiment of the present invention, the first layer decryption step includes:
reading, namely reading a ciphertext set in the encrypted m3u8 index file;
decrypting an index key, namely calculating a share value of a root node of a user attribute set tree by utilizing the user attribute set tree, a secret word and the ciphertext set, and calculating the index key according to the share value of the root node; wherein the user attribute set tree is obtained by performing binary tree description on the user attribute set.
Compared with the prior art, one or more embodiments in the above scheme can have the following advantages or beneficial effects:
1) by applying the streaming media video encryption method provided by the embodiment of the invention, fine-grained video access authority control is realized, and meanwhile, the security of streaming media data transmission is also ensured.
2) The first layer of encryption of the invention uses the video fragments as the granularity and adopts the video key to encrypt the video fragments, so that the control of the whole system on the video access authority reaches the level of the video fragments.
3) The invention adopts a double-layer selective encryption strategy. When a user selects the depth of an encrypted video, different encryption interested areas can be selected in the encryption of the first layer for encryption, and different video stream fragments can be selected in the encryption of the second layer for encryption. The fine-grained control of a single video based on time length or code rate is realized.
4) The third layer of the invention adopts a scheme based on attribute encryption, thereby realizing different access authority control aiming at different users. Meanwhile, a plurality of users are defined in a user attribute set mode, so that different access authorities only need to be provided for different user attribute sets, and a large amount of key management work caused by the fact that each user needs to be allocated with a set of public and private keys is omitted. And can interface with Role-Based Access Control (RBAC) scheme commonly used in web system while reducing key management.
5) According to the invention, through the control tree scheme of AND AND OR, the authority control field of the character is expressed as the tree structure, so that the user can obtain whether the user has the access authority OR not by putting the attribute of the character into the user access control strategy tree for analysis, AND a large amount of operation is saved for the terminal.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart of a fine-grained streaming media video encryption method based on an HLS protocol in an embodiment of the present invention;
FIG. 2 is a flowchart of the method for encrypting the index key shown in step S30 in the embodiment shown in FIG. 1;
fig. 3 is a flowchart of a fine-grained streaming media video decryption method based on the HLS protocol in an embodiment of the present invention;
FIG. 4 is a flow chart of a fine-grained streaming video whole encryption and decryption method based on HLS protocol in another embodiment of the present invention;
fig. 5 is a flowchart of a fine-grained streaming media video encryption method based on the HLS protocol in another embodiment of the present invention;
FIG. 6 is a schematic diagram of a structure of a user access control policy tree for the first six minutes in a further embodiment of the present invention;
FIG. 7 is a diagram illustrating a structure of a user access control policy tree after six minutes in yet another embodiment of the present invention;
fig. 8 is a flowchart of a fine-grained streaming media video decryption method based on the HLS protocol according to another embodiment of the present invention;
FIG. 9 is a diagram illustrating a structure of a user attribute collection tree according to another embodiment of the present invention.
Detailed Description
The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, as long as there is no conflict, the embodiments and the features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.
ExamplesA
Fig. 1 is a flowchart of a fine-grained streaming media video encryption method based on the HLS protocol in an embodiment of the present invention. The steps and their principles for encrypting streaming video are described in detail below with reference to fig. 1.
Step S110, namely, the first layer encryption step, encrypts the video fragment generated by the HLS protocol fragment server by using the video key according to the symmetric encryption algorithm, and stores the video key in the m3u8 index file.
In this step, the video slice content generated by the HLS protocol slice is preferably encrypted using a conventional block encryption or stream encryption algorithm. Further, this layer prefers conventional selective video encryption schemes. Since the video stream format of the HLS protocol slice is ts, analyzing the video structure of ts in a targeted manner, preferably, the video slice is encrypted by using I frames or DCT coefficients, and the video key is stored in the m3u8 index file. It should be noted that the video key is not specifically limited in this embodiment, as long as it is ensured to have sufficient randomness.
The layer completes the encryption protection of the video fragments, the video fragments are taken as the granularity, and different video fragments correspond to different video encryption keys (namely video keys), so that the control of the whole system on the video access authority reaches the level of the video fragments.
Step S120, i.e., the second layer encryption step, encrypts the m3u8 index file with an index key according to a symmetric encryption algorithm.
In this step, the m3u8 index file including the video key is preferably encrypted using a conventional block encryption or stream encryption algorithm. Further, this layer prefers conventional selective video encryption schemes. And, the layer generates an index key according to the timeline access control policy of the video program corresponding to the video slice.
In this embodiment, a two-layer selective encryption strategy is adopted. When a user selects the depth of an encrypted video, different encryption interested areas can be selected in the encryption of the first layer for encryption, and different video stream fragments can be selected in the encryption of the second layer for encryption. The fine-grained control of a single video based on time length or code rate is realized.
Step S130, i.e., the third layer of encryption, encrypts the index key according to the attribute encryption algorithm and the user access control policy.
Fig. 2 shows a flow diagram of a method of encrypting an index key in an embodiment of the invention. The specific process is as follows:
step S131, an initialization step, generates a multiplication loop group, and calculates a public key and a private key.
And step S132, namely, the step of encrypting the index key, wherein the index key is encrypted by using the secret number, the bilinear mapping function and the public key, and the secret number is shared according to the user access control strategy tree to obtain a ciphertext set.
The user access control strategy tree is obtained by performing binary tree description on the user access control strategy. Further, the user access control policy in this embodiment is formulated according to the timeline access control policy and the user attribute set of the video program corresponding to the video segment. The specific process of the step is as follows:
first, a random number is generated, which belongs to a finite field of order p, and is used as a secret number. It should be noted that p is a large prime number, and in the implementation process, a person skilled in the art can set the p according to actual needs.
And then, encrypting the index key by using the secret number, the bilinear mapping function and the public key to obtain a ciphertext of the encrypted index key. And meanwhile, sharing the secret number by using the user access control strategy tree to obtain the sharing parameter of each leaf node in the user access control strategy tree.
And finally, the user access control strategy tree, the obtained ciphertext of the encrypted index key and the shared parameter of each leaf node in the user access control strategy tree form a ciphertext set.
Step S133, i.e., a storing step, stores the ciphertext set into the encrypted m3u8 index file.
The layer adopts a scheme based on attribute encryption, and achieves different access authority control aiming at different users. Meanwhile, a plurality of users are defined in a user attribute set mode, so that different access authorities only need to be provided for different user attribute sets, and a large amount of key management work caused by the fact that each user needs to be allocated with a set of public and private keys is omitted.
In addition, the present embodiment further provides a fine-grained streaming media video decryption method based on the HLS protocol, which corresponds to the above encryption method, and is specifically shown in fig. 3. The steps and their principles for decrypting streaming video are described in detail below in conjunction with fig. 3.
Step S210, i.e., the first layer decryption step, calculates an index key according to the user attribute set. The specific process is as follows:
and a reading step, namely reading the ciphertext set in the encrypted m3u8 index file.
And decrypting the index key, namely calculating the share value of the root node of the user attribute set tree by utilizing the user attribute set tree, the secret word and the ciphertext set, and calculating the index key according to the share value of the root node.
The user attribute set tree is obtained by performing binary tree description on the user attribute set. Further, the user attribute set in this embodiment refers to an attribute set of a user applying for a video program. The specific process of the step is as follows:
first, a secret word is generated from a set of user attributes and a private key.
Then, the share value of the root node of the user attribute set tree is calculated by using the user attribute set tree, the secret word and the ciphertext set, preferably in an iterative mode.
And finally, calculating a key in the cyclic group according to the share value of the root node of the user attribute set tree, and converting the key into an index key.
Step S220, the second layer decryption step, decrypts the encrypted m3u8 index file using the index key to obtain a decrypted m3u8 index file.
Step S230, i.e. the third layer decryption step, decrypts the encrypted video slice using the video key in the decrypted m3u8 index file.
In the embodiment, the video access authority control of fine granularity is realized through the three-layer video encryption and decryption scheme of the streaming media, and meanwhile, the security of data transmission of the streaming media is also ensured.
Example two
Fig. 4 is a flowchart of a fine-grained streaming video whole encryption and decryption method based on the HLS protocol in the embodiment of the present invention. The steps and their principles are described in detail below in connection with fig. 4, both from the server encryption and terminal decryption perspective.
Fig. 5 shows a flowchart of a fine-grained streaming media video encryption method based on the HLS protocol in an embodiment of the present invention. The steps of encrypting a streaming video and its principles are described in detail below from a server encryption perspective in conjunction with fig. 4 and 5.
A first layer encryption step: the Encryption object is video fragment, the Encryption algorithm is preferably Advanced Encryption Standard (AES) algorithm and video Encryption keyvideoRandom generation, and the specific encryption process is as follows:
first, a streaming video segment (i.e., video clip) generated by an HLS protocol fragmentation server is accepted.
Secondly, generating a video encryption key for encrypting the current video fragmentvideo
Then, the video encryption key is usedvideoAnd encrypting the video fragments to obtain the encrypted video fragments.
Finally, storing the encrypted video fragments into a storage cloud, and simultaneously encrypting a video encryption keyvideoAnd storing the data into a database.
A second layer encryption step: encrypting the object as including the keyvideoM3u8, the encryption algorithm uses the AES algorithm, and the encryption key (i.e., index key) key is indexedm3u8And accessing and controlling the strategy generation according to the time line of the video program. The specific process of encryption is as follows:
firstly, a timeline access control strategy of a video program is read to generate an index encryption keym3u8
Secondly, read the video encryption keyvideoStoring the key into an m3u8 index file to generate a keyvideoM3u8 index file.
Then, the key is encrypted using the indexm3u8Encrypting includes a keyvideoThe m3u8 index file, obtaining an encrypted m3u8 index file.
And finally, storing the encrypted m3u8 index file into the storage cloud.
A third layer of encryption: the encryption object is an index encryption keym3u8The encryption algorithm uses an Attribute-based encryption (ABE) algorithm. The specific encryption process is as follows:
first, initialization is performed to generate a multiplication loop group, and a public key and a private key are calculated.
Secondly, different user access attribute sets are set for the timeline access control strategy of the video program, and the user access attribute sets are the user access control strategy.
The key is then encrypted with the user access control policy, public key, and indexm3u8As input, the key is encrypted using the ABE algorithmm3u8And obtaining a ciphertext set.
And finally, storing the ciphertext set into the encrypted m3u8 index file, and storing the ciphertext set into the storage cloud.
The steps and their principles for decrypting a streaming video are described in detail below from a terminal decryption perspective in conjunction with fig. 4.
A first layer decryption step: the decryption object is an index key, and the specific decryption process is as follows:
the terminal (user) applies for access to the RBAC entitlement control server.
And the RBAC authority control server sends the terminal attribute set to the ABE encryption server.
And the ABE encryption server generates a secret word according to the terminal attribute set and the private key and sends the secret word to the RBAC authority control server.
The RBAC authority control server sends the terminal attribute set and the secret word to the terminal.
The terminal requests the storage cloud for the video program on demand, namely requests for an m3u8 index file of the video program.
The storage cloud sends an encrypted m3u8 index file corresponding to the video program to the terminal, wherein the encrypted m3u8 index file comprises a set of ciphertext.
And the terminal reads the ciphertext set and calculates an index key according to the terminal attribute set, the secret word and the ciphertext set.
A second layer decryption step: the decryption object is the encrypted m3u8 index file, and the terminal decrypts the encrypted m3u8 index file by using the index key to obtain the decrypted m3u8 index file.
And a third layer of decryption: and the decryption object is an encrypted video fragment, and the terminal decrypts the encrypted video fragment by using the video key in the decrypted m3u8 index file to obtain the corresponding video fragment.
By applying the streaming media video encryption and decryption method provided by the embodiment of the invention, fine-grained video access authority control is realized, and meanwhile, the security of streaming media data transmission is also ensured. And based on the scheme of attribute encryption, a plurality of users are defined in an attribute mode, and the authority is not controlled from the level of a single user. Therefore, the method and the device can realize the interface with the RBAC scheme commonly used in the web system while reducing the key management amount.
EXAMPLE III
The following takes an example that a general user requests an ultra-clear video, and further describes the working process of the method for encrypting and decrypting the streaming media video in detail.
In order to clearly show the scheme and the advantages of the embodiment of the present invention, before explaining the third embodiment of the present invention in detail, some definitions are first made for the attributes of the video and the attributes of the user, as shown in table 1. From this, the scope of rights of different users to view the video can be determined.
TABLE 1 definition of attributes of video and of user
Figure BDA0001187560790000091
And (3) encryption flow:
after an ultra-clear video is divided into different video fragments according to the HLS protocol, each video fragment selects a different video encryption key for encryption. And storing the encrypted video fragments and the video encryption key at the same time to finish the first layer of encryption protection.
Different access control strategies are provided for different time periods of the same super-definition video (for example, a common user can only view the content before the first 6 minutes, and a monthly user can view the whole video content), namely, a timeline access control strategy of a video program. Thus, the timeline access control policy for this video program is divided into two parts, the first six minutes and later. Generating two index keys according to the timeline access control strategy of the video program, wherein the two index keys are respectively index keym3u81And index keym3u82. Index keym3u81And index keym3u82The correspondence with the timeline access control policy for a video program is shown in table 2.
TABLE 2 keym3u81And keym3u82Corresponding relation with video time period
keym3u81 The first six minutes
keym3u82 After six minutes
Using index keym3u81The index file m3u81 of six minutes before the video is encrypted, and the index key is usedm3u82The index file m3u82 six minutes after the video is encrypted. Health-care productStoring the encrypted index file m3u81 and the index file m3u82 and simultaneously storing the index keym3u81And index keym3u82And completing the encryption protection of the second layer.
Meanwhile, the different user attribute sets corresponding to the timeline access control policy of the video program are shown in table 3:
TABLE 3 different sets of user attributes corresponding to timeline access control policies for ultra-clear video programs
The first six minutes {user=‘vip’or user=‘normal’}
After six minutes {user=‘vip’}
Thus, two different user access control policies are defined:
user access control policy a for the first six minutes: { { vFmt ═ 2} and { { user ═ vip '} or user ═ normal' } }.
User access control policy b after six minutes: { { vFmt ═ 2} and { user ═ vip' } }.
Wherein, the user access control policy a of the first six minutes represents: the video format is super-clear (i.e., 2), the user attribute is monthly (i.e., vip) or normal (i.e., normal). The user access control policy b after six minutes represents: the video format is super-clear (i.e., 2) and the user attribute is monthly (i.e., vip) users. In this embodiment, it may be preferable to separately describe the first six minutes user access control policy a and the six minutes later user access control policy b by using a binary tree, so as to obtain a first six minutes user access control policy tree a 'and a six minutes later user access control policy tree b', as shown in fig. 6 and 7.
Further, the index key is encrypted using the ABE algorithmm3u81And keym3u82The specific process is as follows:
an initialization step, specifically:
selecting a group G with an order of a large prime number q and a generator of an integer G1(ii) a e is a bilinear mapping function, and satisfies the following conditions: e is G1×G1=GT
Selecting two random numbers α Zp,ZpA finite field of order p.
Calculating a public key PK: PK ═ q, g, h, e (g, g)α};h=gβ
Computing the private key MK { β, gα}。
Encrypting the index keym3u81And keym3u82Specifically, the method comprises the following steps:
the following description details the encryption of the index key by taking the user access control policy a of six minutes as an examplem3u81The method comprises the following specific steps:
first, a random number s ∈ Z is generatedpAnd uses it as a secret number. The secret s is shared with the first six minutes of user access control policy tree a'. In this implementation, the sharing algorithm may preferably be implemented using the lagrangian interpolation theorem. Further, for each leaf node (c1, c2, c3, c4) of the policy tree a', respectively:
Figure BDA0001187560790000111
wherein, CyAnd C'yThe shared parameter is a shared parameter of a leaf node y, H () is a hash value, attr (y) is an attribute value of the current leaf node y, the leaf node c1 of the policy tree a 'corresponds to the leaf node vFmt:1 of the policy tree a', the leaf node c2 of the policy tree a 'corresponds to the leaf node vFmt: 0 of the policy tree a', the leaf node c3 of the policy tree a 'corresponds to the leaf node user ═ vip' of the policy tree a ', and the leaf node c4 of the policy tree a' corresponds to the leaf node user ═ normal 'of the policy tree a'.
Then, a dense text set is formedCombined CTa'
Figure BDA0001187560790000112
Wherein, Y is the set of leaf nodes of the strategy tree a', and func () is the key of the index keym3u81Conversion to GTIn the group, the number of the groups,
Figure BDA0001187560790000113
and C is an encryption index keym3u81And (5) obtaining the ciphertext.
Further, the ciphertext is collected into CTa'And storing the index file into an encrypted m3u81 index file.
It should be noted that the index key is encryptedm3u82Detailed description of the preferred embodiments and encryption index Keym3u81In a similar way, please refer to the encryption index keym3u81The description of (1). To reduce redundancy, further description is omitted here.
A storage step: will include a set of ciphertexts CTa'And an encrypted m3u81 index file including the ciphertext set CTb'The encrypted m3u82 index file is stored into the m3u8 index file of the super-definition video, and the m3u8 index file is also stored, so that the third layer of encryption protection is completed.
And (3) decryption process:
the following describes in detail the specific steps of decrypting the high definition video by taking a certain general user as an example and referring to fig. 8:
first, a secret word SK is generated from a set of user attributes and a private key:
Figure BDA0001187560790000121
wherein S is a user attribute set, r is an arbitrary number, and r ∈ Z is satisfiedpAnd r isj∈ZpD is the main field of the secret word SK, Dj,D'jAnd corresponding to the secret shard for the jth user set.
Then, the user applies for the request of the high-definition video, namely the application of the m3u8 index file of the high-definition video.
Finally, after obtaining the m3u8 index file, the corresponding attribute set S and the secret word SK after the high-definition video is encrypted, the user reads the ciphertext set CT in the m3u8 index filea'. According to the user attribute set S, the secret word SK and the ciphertext set CTa'Three-part calculation func (key)m3u81). Recalculation func ()-1Finally, the index key is obtainedm3u81And decryption of the first layer is completed.
In the present embodiment, the key is indexedm3u81The calculation process of (2) is specifically as follows:
the input of the terminal has a ciphertext set CTa'A secret word SK and a set of user attributes S. Further, the user attribute set S may be described, preferably by a binary tree, to obtain a user attribute set tree S', as shown in fig. 9. As can be seen from fig. 9, the leaf nodes, i.e., the actual attribute sets, are { vFmt:1 }, { vFmt: × 0}, and { user ═ normal' }.
And if i belongs to Y, calculating the following formula:
Figure BDA0001187560790000122
then, the final result is obtained by using an iterative mode for the whole user attribute set tree S'.
If the current node is AND, the left node value is x, AND the right node value is y, the node value is z:
z=2x-y
if the current node is OR, the left node value is x, and the right node value is y, the value of the node is z:
z=xORy
finally, the qualified users obtain the share value A ═ e (g, g) of the root nodersThen, G is calculatedTFinal key func (key) within the groupm3u81):
Figure BDA0001187560790000123
Further, by executing func ()-1Finally, the index key is obtainedm3u81The value of (c).
The user is obtaining the index keym3u81The index field in the first 6 minutes of the m3u8 file can then be completely decrypted while the video key of the corresponding video slice is obtained, completing the decryption of the second layer.
After the user obtains the video key, the user can view the video by decrypting the video fragments, namely the authorization is obtained, and the decryption of the third layer is completed. However, when the video reaches 6 minutes, since { { vFmt>0 AND does not satisfy the requirement of the user to access the control policy tree b', so the terminal cannot decrypt the keym3u82Then, the decryption key of the corresponding video cannot be obtained, and the video content after 6 minutes cannot be accessed, that is, the video content is not authorized.
It should be noted that the user access control policy is not limited to the two user access control policies a and b in this embodiment. In the specific implementation process, a person skilled in the art can set a control policy for user access according to actual needs, for example, a user on demand and an encryption time can be set.
In summary, the streaming media video encryption and decryption method provided by the embodiment of the present invention realizes fine-grained video access right control, and simultaneously ensures the security of streaming media data transmission. AND the authority control field of the character is expressed into a tree structure through the control tree scheme of AND AND OR, so that the user can obtain whether the user has the access authority OR not by putting the attribute of the user into the user access control strategy tree for analysis, AND a large amount of operation is saved for the terminal.
Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (9)

1. A fine-grained streaming media video encryption method based on an HLS protocol is characterized by comprising the following steps:
a first layer of encryption step, namely encrypting the video fragments generated by the HLS protocol fragment server by using a video key according to a symmetric encryption algorithm, and storing the video key into an m3u8 index file;
a second layer of encryption step, namely encrypting the m3u8 index file corresponding to the video fragment by using an index key according to a symmetric encryption algorithm, wherein the index key is generated according to a timeline access control strategy of the video program corresponding to the video fragment;
a third layer of encryption step, which encrypts the index key according to an attribute encryption algorithm and a user access control strategy,
wherein the first layer encryption step and the second layer encryption step employ a selective encryption strategy.
2. The encryption method according to claim 1, wherein in the first layer encryption step, the video slice is selectively encrypted using the video key according to a block encryption or stream encryption algorithm.
3. The encryption method according to claim 2, wherein in the second layer encryption step, the m3u8 index file is selectively encrypted using the index key according to a block encryption or stream encryption algorithm.
4. The encryption method according to claim 1, wherein in the third layer encryption step, the user access control policy is made according to a timeline access control policy and a user attribute set of a video program corresponding to the video slice.
5. The encryption method of claim 4, wherein said third layer encryption step comprises:
initializing, namely generating a multiplication cycle group and calculating a public key and a private key;
encrypting an index key, namely encrypting the index key by using a secret number, a bilinear mapping function and the public key, and sharing the secret number according to a user access control strategy tree to obtain a ciphertext set; wherein the user access control policy tree is obtained by performing binary tree description on the user access control policy;
and a storage step, storing the ciphertext set into an encrypted m3u8 index file.
6. The encryption method according to claim 5, wherein the ciphertext set comprises the user access control policy tree, a ciphertext obtained by encrypting the index key, and a shared parameter of each leaf node in the user access control policy tree.
7. The encryption method according to claim 5, wherein in the encrypting the index key step, the secret number is shared using Lagrangian theorem according to the user access control policy tree.
8. A decryption method for decrypting the fine-grained streaming media video encryption method based on the HLS protocol according to any one of claims 1 to 7, comprising:
a first layer of decryption step, calculating an index key according to the user attribute set;
a second layer decryption step, decrypting the m3u8 index file encrypted by the selective strategy by using the index key to obtain a decrypted m3u8 index file;
and a third layer of decryption step, namely decrypting the video fragments encrypted by adopting the selective strategy by using the video key in the decrypted m3u8 index file.
9. Decryption method according to claim 8, characterized in that said first layer decryption step comprises:
reading, namely reading a ciphertext set in the encrypted m3u8 index file;
decrypting an index key, namely calculating a share value of a root node of a user attribute set tree by utilizing the user attribute set tree, a secret word and the ciphertext set, and calculating the index key according to the share value of the root node; wherein the user attribute set tree is obtained by performing binary tree description on the user attribute set.
CN201611192815.XA 2016-12-21 2016-12-21 Fine-grained streaming media video encryption and decryption method based on HLS protocol Active CN106790074B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611192815.XA CN106790074B (en) 2016-12-21 2016-12-21 Fine-grained streaming media video encryption and decryption method based on HLS protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611192815.XA CN106790074B (en) 2016-12-21 2016-12-21 Fine-grained streaming media video encryption and decryption method based on HLS protocol

Publications (2)

Publication Number Publication Date
CN106790074A CN106790074A (en) 2017-05-31
CN106790074B true CN106790074B (en) 2020-08-11

Family

ID=58897067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611192815.XA Active CN106790074B (en) 2016-12-21 2016-12-21 Fine-grained streaming media video encryption and decryption method based on HLS protocol

Country Status (1)

Country Link
CN (1) CN106790074B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108111876A (en) * 2017-12-21 2018-06-01 北京四达时代软件技术股份有限公司 A kind of LAN video contents of streaming media method for security protection, terminal and server
CN110138716B (en) * 2018-02-09 2020-11-27 网宿科技股份有限公司 Key providing method, video playing method, server and client
CN108881205B (en) * 2018-06-08 2020-11-17 西安理工大学 HLS streaming media safe playing system and playing method
US11316662B2 (en) * 2018-07-30 2022-04-26 Koninklijke Philips N.V. Method and apparatus for policy hiding on ciphertext-policy attribute-based encryption
CN109120998B (en) * 2018-08-28 2021-04-02 苏州科达科技股份有限公司 Media data transmission method, device and storage medium
TW202030671A (en) 2019-02-01 2020-08-16 和碩聯合科技股份有限公司 System and method for data analysis
CN110278210B (en) * 2019-06-24 2020-04-17 北京邮电大学 Attribute-based extensible video data access control method in cloud environment
CN110446108B (en) * 2019-06-28 2022-04-22 中国传媒大学 Media cloud system and video encryption and decryption method
CN113014956B (en) * 2019-12-20 2022-06-03 腾讯科技(深圳)有限公司 Video playing method and device
CN112738560A (en) * 2020-12-28 2021-04-30 厦门市美亚柏科信息股份有限公司 Video data transmission method, receiving method, server and client
CN118338048A (en) * 2024-06-12 2024-07-12 深圳市一恒科电子科技有限公司 Picture and video encryption storage and decryption method and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255886B (en) * 2011-04-02 2013-12-04 南京邮电大学 Encryption and decryption methods of streaming media on-demand system
US9160540B2 (en) * 2013-07-25 2015-10-13 Adobe Systems Incorporated Preventing playback of streaming video if ads are removed
CN103701833B (en) * 2014-01-20 2018-02-16 深圳大学 A kind of ciphertext access control method and system based on cloud computing platform
CN103825885A (en) * 2014-01-23 2014-05-28 广东顺德中山大学卡内基梅隆大学国际联合研究院 Internet content encryption release method and system
CN106231346B (en) * 2016-08-05 2020-01-17 中国传媒大学 Distributed encryption method for offline video

Also Published As

Publication number Publication date
CN106790074A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN106790074B (en) Fine-grained streaming media video encryption and decryption method based on HLS protocol
CN109768987B (en) Block chain-based data file safe and private storage and sharing method
Han et al. A data sharing protocol to minimize security and privacy risks of cloud storage in big data era
Li et al. A lightweight secure data sharing scheme for mobile cloud computing
EP3123383B1 (en) System and method for partial url signing with applications to dynamic adaptive streaming
CN103731432B (en) Multi-user supported searchable encryption method
Zhou et al. Efficient and secure data storage operations for mobile cloud computing
US20050187879A1 (en) Persistent license for stored content
CN107040374B (en) Attribute-based data encryption method supporting user dynamic revocation in cloud storage environment
CN106612271A (en) Encryption and access control method for cloud storage
CN104009838A (en) Multimedia content piecewise encryption method
CN110611571A (en) Revocable access control method of smart grid system based on fog
Zhang et al. A dynamic cryptographic access control scheme in cloud storage services
Athena et al. An identity attribute–based encryption using elliptic curve digital signature for patient health record maintenance
Wan et al. A collusion-resistant conditional access system for flexible-pay-per-channel pay-TV broadcasting
Wu et al. Attribute-based data access control scheme with secure revocation in fog computing for smart grid
CN117155675A (en) Fine granularity access control method supporting data security classification in double cloud environment
He et al. Secure independent-update concise-expression access control for video on demand in cloud
Swetha et al. Security on mobile cloud computing using cipher text policy and attribute based encryption scheme
Fu et al. Secure storage of data in cloud computing
Dutta et al. Access policy based key management in multi-level multi-distributor DRM architecture
Ge et al. A secure fine-grained identity-based proxy broadcast re-encryption scheme for micro-video subscribing system in clouds
Yeh et al. A conditional access system with efficient key distribution and revocation for mobile pay-TV systems
Huang et al. Enhanced authentication for commercial video services
Vaanchig et al. Ciphertext-policy attribute-based access control with effective user revocation for cloud data sharing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant